You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

I believe that's all of the packages, but I am not %100 sure for each distro.
By installing the packages listed above with yum/apt/zypper, the system SHOULD get all the
necessary dependant packages that need to be installed too.

Remember /etc/ldap.conf and /etc/openldap/ldap.conf are 2 different files and are for different applications.

/etc/ldap.conf: # Used by pam to perform authentication.
/etc/openldap/ldap.conf: # Used by the openldap tools and application to connect.
/etc/krb5.conf: # Used to bind to kerberos
/etc/nsswitch.conf: # Used to define where to collect user info (local 1st, network 2nd)
/etc/sysconfig/authconfig: # Used to tell the system what applications to use to authenticate.
/etc/ntp/steptickers # Used for lock sync at boot
/etc/ntp/ntpserver # servers to use by ntpd
/etc/ntp.conf # configure system to use or act as a stratum 1,2 10 server (10 is no source available use BIOS clock)

How To configure:
Start by getting the certificate from the Active Directory server. The windows certificate will be
<servername.domainname>.crt. This has to be converted to a PEM format. CRT is a DER format.
To do this use the following commands

openssl x509 –in input.crt –inform DER –out output.crt –outform PEM

Place the newly converted certificate in /etc/pki/tls/certs or in a drectory the openldap
application can read. I used /etc/openldap/cacerts.

Next you want to configure the /etc/openldap/ldap.conf. Again, this file IS NOT the same as
/etc/ldap.conf. Only the basic information is necessary here.

HOST = The LDAP server
URI = The ldap://<ipaddr> to use. If use tls/SSL use ldaps://<ipaddr>
BASE = The root to start searching from in the AD tree (Notice I start below the root domain)
TLS_REQCERT = Whether or not to request a certificate from the server
TLS_CACERT = The root cert form AD that was converted earlier(This can be any dir openldap can access)
SSL start_tls = Use TLS to do basic encryption to AD

If you are using SE_LINUX ensure the context is corect.
Use semanage to set the context if is it wrong.

------------------------------------------------------------------------
# To configure /etc/ldap.conf do the following:
# (To avoid DNS lookups place the IP/FQDN in the /etc/hosts/file
# 192.168.0.1 myhost.example.com

uri = ldap://<fqdn> or ldaps://<fqdn>
#host = same as above. This can be the IP or FQDN.
(Only use uri or host)
base = Same as above
ldap_version = not necessary if doing version 3, it is the default
binddn = User acct to connect to AD ad querry informaion with.
(MS admins should limit the access as much as possible to this account, ex..guest)
bindpw = password used to connect to AD by user specified above
scope = sub specifies to search the tree from base and below
(Remember base is specified above)
timelimit = Time for ldap querry to wait
#ssl = I use sasl so ssl is not used.
nss_map_objectclass = maps the LDAP attribute posixAccount to User
nss_map_objectclass = maps the LDAP attribute shadowAccount to User
nss_map_objectclass = maps the LDAP attribute posixGroup to Group
nss_map_objectclass = maps the UNIX attribute uid to sAMAccountName
nss_map_objectclass = maps the LDAP attribute uidNmuber to uidNmber
nss_map_objectclass = maps the LDAP attribute gidNumber to gidNumber
nss_map_objectclass = maps the LDAP attribute cn = sAMAccountName
nss_map_objectclass = maps the LDAP attribute homeDirectory to unixHomeDirectory
(you must have the path mounted or tell the system to create dirs for this to work)
nss_map_objectclass = maps the LDAP attribute gecos to name
pam_login_attribute = assignes the pam userid to sAMAccountName
pam_filter = filters pam for user iformation
nss_base_passwd = specifies the nss_ldap base, the sub at the end tells it to search base and below
nss_base_shadow = same as above
nss_base_group = same as above but collects group info
tls_cacert = path to the converted pem certificte from AD
tls_reqcert = Never request a certificate, it is already installed above.
bind_policy = Fixes a problem when booting to stop hangs at messagesbus(Fedora/Redhat)
(There is a chiken/egg problem here.)

** If you need to add attributes jus follow the syntax above for mapping
-------------------------------------------------------------------------

Tells the system where to get its User/Group/Password info from.
I only use it for auth and group membership.

/etc/nsswhich
passwd: = Use local files first, winbind, then LDAP
shadow: = Use local files first, then LDAP
group: = Use local files first, winbind, then LDAP

You can use more but with LDAP you will need to map the attribute above.

This is self explanitory. It is either yes or no. I recommend using LDAP for user info and Kerberos
for Auth. This howto is for that specific configuration.

This can be configured with system-config-authentication
Do not modify the setting if you are configuring the files manually.

Run:
system-config-authentication (In runlevel 5 a gui will pop up, in runlevel 3 this will use ncurses)
Select LDAP on the user-information tab.
Select kerberos on the Authentication tab.
On the last tab select create home directory if you want the system to create the home dir for you.
Click OK.

This will also configure PAM for you

The final steps are simple
ensure nscd, cyrus-sasl start at reboot.

chkconfig nscd on
chkconfig saslauthd on

That should be about it.

------------------------------------------------------------------------
The files I use are listed below:
#########################################################################
FILES: #
#########################################################################

/etc/openldap/ldap.conf

HOST <FQDN> #This can be an IP
URI ldaps://<ipaddr> # Use ldaps if port 636 is used
BASE cn=users,dc=subdomain,dc=domain,dc=com # Base domain to start search from
TLS_REQCERT never # Request a Cert from server
TLS_CACERT /etc/openldap/cacerts/certificate.pem # ENSURE this is the right cert and not from a different domain
BINDDN ldapman@subdomain.domain.com # User to connect as
SSL start_tls # Start tls for simple encryption

I had the great experience to work with battletroll on getting the linux side configured correctly for AD Authentication. The instructions/guide written are clear and easy to follow. At times, I would get confused and shoot an email only to get a response with more help.